US12101410B2ActiveUtilityA1

Hardware virtualized TPM into virtual machines

62
Assignee: MICROSOFT TECHNOLOGY LICENSING LLCPriority: Aug 12, 2021Filed: Aug 12, 2021Granted: Sep 24, 2024
Est. expiryAug 12, 2041(~15.1 yrs left)· nominal 20-yr term from priority
H04L 9/083G06F 2009/45587G06F 9/45558G06F 21/72H04L 9/3234G06F 21/57
62
PatentIndex Score
0
Cited by
8
References
20
Claims

Abstract

Methods, systems, apparatuses, and computer-readable storage mediums described herein enable executable code of a hardware security platform (HSP) circuit to communicate with a hypervisor in a separate processor. The hypervisor generates and manages virtual machines. The HSP code comprises trusted platform module (TPM) logic, that processes TPM commands received via the hypervisor, and in response to the processing, communicates security information (e.g., measurements, keys, authorization data) with the virtual machines via the hypervisor. The TPM logic receives security information related to a virtual machine from the hypervisor and stores the security information in non-volatile memory of the HSP circuit, where security information from a particular VM is distinguishable from security information from another VM in the HSP memory. The hypervisor (and VMs) communicate via a network fabric with the HSP circuit within an SOC, or the HSP may reside on a discrete chip and communicate via a secure encrypted channel.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A hardware security platform (HSP) circuit comprising:
 one or more processors; 
 one or more memory devices, the one or more memory devices storing program code comprising:
 HSP executable code configured to communicate with one or more virtual machines executed in a separate processor coupled to the HSP circuit; and 
 trusted platform module (TPM) logic configured to:
 receive a TPM command from the one or more virtual machines, the TPM command requesting attestation of the one or more virtual machines; 
 process the TPM command by retrieving first instantiation measurements for the one or more virtual machines, the first instantiation measurements being stored by the HSP circuit; 
 provide the first instantiation measurements to the one or more virtual machines; 
 receive security information related to a first virtual machine of the one or more virtual machines; and 
 store, in non-volatile memory of the HSP circuit, the security information. 
 
 
 
     
     
       2. The HSP circuit of  claim 1 , wherein the TPM logic is further configured to communicate with the one or more virtual machines via:
 one or more respective virtualized TPM interfaces in the one or more virtual machines; and 
 at least one of:
 a hypervisor executed in the separate processor; or 
 a confidential channel inaccessible to the hypervisor. 
 
 
     
     
       3. The HSP circuit of  claim 1 , wherein the TPM logic is further configured to:
 receive security information related to a second virtual machine of the one or more virtual machines; and 
 store, in the non-volatile memory of the HSP circuit, the security information related to the second virtual machine distinguishable from the security information related to the first virtual machine. 
 
     
     
       4. The HSP circuit of  claim 1 , wherein the security information comprises at least one of instantiation measurements, encryption keys, or authorization data. 
     
     
       5. The HSP circuit of  claim 1 , wherein the security information of the first virtual machine of the one or more virtual machines comprises instantiation measurements, and the TPM logic is further configured to:
 receive a sequence of instantiation measurements related to the first virtual machine of the one or more virtual machines; and 
 store, in the non-volatile memory of the HSP circuit, each measurement of the sequence of instantiation measurements related to the first virtual machine as a measurement extension relative to a prior measurement of the sequence. 
 
     
     
       6. The HSP circuit of  claim 5 , further comprising:
 an HSP measurement recorder configured to:
 instantiate HSP executable code; and 
 store, in the non-volatile memory of the HSP circuit, a measurement of the HSP executable code instantiation; 
 
 the HSP executable code further configured to:
 instantiate the TPM logic; and 
 store, in the non-volatile memory of the HSP circuit, a measurement of the TPM logic instantiation; 
 wherein the TPM logic instantiation measurement is stored as an extension of the HSP executable code instantiation measurement, and 
 a measurement of the sequence of instantiation measurements related to the first virtual machine is stored as measurement extension relative to the instantiation measurements of the HSP executable code and the TPM logic. 
 
 
     
     
       7. The HSP circuit of  claim 5 , wherein the one or more virtual machines are generated by a hypervisor that is instantiated in the separate processor coupled to the HSP circuit, and wherein:
 the hypervisor instantiates the first virtual machine in the separate processor, and 
 hypervisor instantiation measurements are included in the sequence of instantiation measurements related to the first virtual machine of the one or more virtual machines. 
 
     
     
       8. The HSP circuit of  claim 3 , wherein the TPM logic is further configured to:
 receive authorization data corresponding to the first virtual machine, and 
 in response, store the authorization data for the first virtual machine in the HSP non- volatile memory distinguishable from authorization data for the second virtual machine. 
 
     
     
       9. The HSP circuit of  claim 1 , wherein the TPM logic is further configured to:
 provide attestation for a configuration state of the first virtual machine to the first virtual machine based on instantiation measurements related to the HSP executable code, the TPM logic, a hypervisor, and the first virtual machine stored in the one or more memory devices of the HSP circuit as the security information related to the first virtual machine; and 
 provide an encryption key to the first virtual machine in response to receiving correct authorization data from the first virtual machine, wherein the encryption key and a value of the authorization data are stored in the one or more memory devices of the HSP circuit as the security information related to the first virtual machine. 
 
     
     
       10. A method for virtualizing trusted platform module (TPM) logic in a hardware security platform (HSP) circuit to a virtual machine, the method comprising:
 configuring HSP executable code to communicate with one or more virtual machines executed in a separate processor coupled to the HSP circuit; 
 receiving a TPM command from the one or more virtual machines, the TPM command requesting attestation of the one or more virtual machines; 
 processing the TPM command by retrieving first instantiation measurements for the one or more virtual machines, the first instantiation measurements being stored by the HSP circuit; 
 providing the first instantiation measurements to the one or more virtual machines; 
 receiving, by the TPM logic, security information related to a first virtual machine of the one or more virtual machines; and 
 storing, by the TPM logic, in non-volatile memory of the HSP circuit, the security information. 
 
     
     
       11. The method of  claim 10 , further comprising:
 communicating, by the TPM logic, with the one or more virtual machines via:
 one or more respective virtualized TPM interfaces in the one or more virtual machines; and 
 at least one of:
 a hypervisor executed in the separate processor; or 
 a confidential channel inaccessible to the hypervisor. 
 
 
 
     
     
       12. The method of  claim 10 , further comprising:
 receiving, by the TPM logic, security information related to a second virtual machine of the one or more virtual machines; and 
 storing, by the TPM logic in the non-volatile memory of the HSP circuit, the security information related to the second virtual machine distinguishable from the security information related to the first virtual machine. 
 
     
     
       13. The method of  claim 10 , wherein the security information comprises at least one of instantiation measurements, encryption keys, or authorization data. 
     
     
       14. The method of  claim 10 , wherein the security information of the first virtual machine of the plurality of virtual machines comprises instantiation measurements, and the method further comprises:
 receiving, by the TPM logic, a sequence of instantiation measurements related to the first virtual machine of the one or more virtual machines; and 
 storing, by the TPM logic in the non-volatile memory of the HSP circuit, each measurement of the sequence of instantiation measurements related to the first virtual machine as a measurement extension relative to a prior measurement of the sequence. 
 
     
     
       15. The method of  claim 14 , further comprising:
 instantiating, by an HSP measurement recorder, the HSP executable code, and 
 storing, by the HSP measurement recorder in the non-volatile memory of the HSP circuit, a measurement of the HSP executable code instantiation; 
 instantiating, by the HSP executable code, the TPM logic, and 
 storing, by the HSP executable code in the non-volatile memory of the HSP circuit, a 
 measurement of the TPM logic instantiation; 
 wherein the TPM logic instantiation measurement is stored as an extension of the HSP executable code instantiation measurement, and 
 a measurement of the sequence of instantiation measurements related to the first virtual machine is stored as measurement extension relative to the instantiation measurements of the HSP executable code and the TPM logic. 
 
     
     
       16. The method of  claim 14 , wherein:
 the one or more virtual machines are generated by a hypervisor that is instantiated in the separate processor coupled to the HSP circuit, 
 the hypervisor instantiates the first virtual machine in the separate processor, and the method further comprises:
 including hypervisor instantiation measurements in the sequence of instantiation measurements related to the first virtual machine of the one or more virtual machines. 
 
 
     
     
       17. The method of  claim 12 , further comprising:
 receiving, by the TPM logic, authorization data corresponding to the first virtual machine; and 
 in response to said receiving, storing the authorization data for the first virtual machine in the HSP non-volatile memory distinguishable from authorization data for the second virtual machine. 
 
     
     
       18. The method of  claim 10 , further comprising:
 providing, by the TPM logic, attestation for a configuration state of the first virtual machine to the first virtual machine based on instantiation measurements related to the HSP executable code, the TPM logic, a hypervisor, and the first virtual machine stored in the one or more memory devices of the HSP circuit as the security information related to the first virtual machine; and 
 providing, by TPM logic, an encryption key to the first virtual machine in response to receiving correct authorization data from the first virtual machine, wherein the encryption key and a value of the authorization data are stored in the one or more memory devices of the HSP circuit as the security information related to the first virtual machine. 
 
     
     
       19. A system for virtualizing trusted platform module (TPM) logic in a hardware security platform (HSP) circuit to a virtual machine, the system comprising:
 a first circuitry comprising:
 one or more processors; and 
 one or more memory devices, the one or more memory devices storing program code to be executed by the one or more processors, the program code comprising:
 a hypervisor configurable to generate and manage one or more virtual machines, wherein the one or more virtual machines are configurable to communicate TPM security information to the TPM logic in a second circuitry; and 
 
 
 the second circuitry comprising:
 one or more processors; and 
 one or more memory devices, the one or more memory devices storing program code to be executed by the one or more processors, the program code comprising:
 HSP executable code configured to communicate with the one or more virtual machines, and 
 TPM logic configured to:
 receive a TPM command from the one or more virtual machines, the TPM command requesting attestation of the one or more virtual machines; 
 process the TPM command by retrieving first instantiation measurements for the one or more virtual machines, the first instantiation measurements being stored by the HSP circuit; 
 provide the first instantiation measurements to the one or more virtual machines; 
 receive TPM security information related to a first virtual machine of the one or more virtual machines; and 
 store, in non-volatile memory of the HSP circuit, the TPM security information related to the first virtual machine wherein the stored TPM security information of the first virtual machine is distinguishable from TPM security information related to a second virtual machine stored in the non-volatile memory of the HSP. 
 
 
 
 
     
     
       20. The system of  claim 19 , wherein the TPM logic is further configured to:
 communicate with the one or more virtual machines via one or more respective virtualized TPM interfaces in the one or more virtual machines; and 
 at least one of:
 a hypervisor executed in the separate processor, or 
 a confidential channel inaccessible to the hypervisor.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.